The more we depend on smart devices and wireless technology, the more cybercrime will rise – but so too will the profits of firms thwarting the criminals, says Matthew Partridge.
Imagine this. It’s a beautiful day. You’re heading to the coast in your new car. You’re driving down the motorway at a steady pace in perfect weather, your favourite song on the radio. Then, things start to go wrong. The radio changes channel. The air conditioning blasts out a stream of hot air. No big deal, you think – just a few bugs. Then the lights start flashing. As you fruitlessly flick the indicator switch, the car starts to slow down. No matter how hard you push on the accelerator, the car refuses to respond, until it comes to a screeching halt – right in the path of a huge lorry.
Cheap science fiction? Sadly not. Just last year two hobbyists, Charlie Miller and Chris Valasek, made headlines in the US when they hacked into a car as it was driving along a highway, and managed to do just this – tampering with the radio, climate control and even windscreen wipers, before slamming on the brakes.
Thankfully this was a controlled experiment to raise awareness of the potential for such remote hacking. But the real worry is that it wasn’t the first time they’d done it. It was a repeat of a similar experiment the pair had carried out in 2013, only this time it was even easier, due to advances in wireless technology. The issues they had identified and publicised still existed, suggesting that car manufacturers hadn’t taken the problem seriously.
A hacked car is scary enough. But what about a hacked plane? Last year, computer security consultant Chris Roberts was arrested by the FBI after he claimed to have taken control of an aircraft via its in-flight entertainment system, briefly forcing it to climb. Boeing and several engineers familiar with the system claimed that Roberts was either lying or exaggerating, but other experts believe he had exploited a genuine vulnerability. In any case, the US Federal Aviation Authority has repeatedly raised concerns about the risk of such an event.
The threat goes far beyond transport systems. Professor Avi Rubin of John Hopkins University in Baltimore is one of America’s top cybersecurity experts. In 2011 he gave a widely viewed TED talk on how hackers could use wireless networks to turn off medical devices, including those implanted in people’s bodies. For instance, a hacker could kill or injure someone by stopping a pacemaker, or causing an insulin-administering device to go haywire.
Rubin has only grown more pessimistic since then – he believes things are getting “increasingly worse as systems rise in complexity and hackers gain more resources and sophistication”. Events have arguably proved him right – earlier this year, hackers broke into the computer systems of a Los Angeles hospital. They threatened to shut it down unless the administrators paid a “cyber-ransom” (demanded in bitcoins, naturally). Since then, similar incidents, all using a malware program called Locky, have hit several hospitals across America.
The high cost of online crime
Such life-threatening attacks are the most visible danger posed by hackers. But the economic costs of fraud and theft, both to society and to individual companies, are also substantial. The most basic type of cybercrime is payment fraud, where stolen credit-card details are used to buy goods and services. According to Financial Fraud Action UK, a credit card and banking industry body, £567m a year is spent fraudulently on credit cards, while online banking fraud has more than doubled in value over the last two years to £133.5m.
There are fears this could rise even more rapidly with the introduction of contactless cards, which allow people to make payments of up to £30 by touching their cards against a scanner, rather than keying in an identification number. The data on these cards is encrypted. But researchers at consumer magazine Which? used a widely available card scanner to pull details from the cards, break the encryption, then use the data to buy goods online.
This is even more worrying when you consider that the use of hard cash is becoming increasingly rare. Take Sweden. Many stores and restaurants no longer accept cash, which has reduced the number of thefts and muggings – unquestionably a good thing. But online fraud has mushroomed, with 140,000 cases reported in the last year alone. The situation is so bad that retired police officers, including the former president of Interpol, are warning that too little is being done to combat the rise in electronic crime.
And payments fraud is just the tip of the iceberg. Theft of intellectual property, especially in high-tech industries, is a major problem. Last year the US government hinted that if China didn’t act to stop industrial espionage by Chinese hackers it would impose sanctions on any Chinese companies that benefited from such theft. However, despite a formal agreement on the subject in October, there is still evidence that attacks are continuing – a senior US official in the US Department of Justice warned six months ago that Chinese hacking remains “a serious threat to [US] national security”.
Aside from the direct financial costs, cybercrime can cause even more damage by disrupting firms’ operations and undermining their reputations. Perhaps the most notorious attack of recent years was the November 2014 hack of Sony Pictures by the self-styled Guardians of Peace, a hacker group linked to North Korea. The attack held up the release of The Interview, a comedy about Kim Jong Un that Sony had spent $44m producing. While it was eventually released, the attack also resulted in various embarrassing emails – including confidential information on casting decisions and actors’ salaries – being leaked to the wider press.
Estimates of the global cost of cybercrime vary hugely – by its very nature, only a certain amount of cybercrime will ever be officially recorded, and industry consultancies obviously have a vested interest in playing up the risk. However, there is general agreement that the costs are huge. Current estimates range from $450bn to $575bn a year, and that’s growing at an exponential rate, with Juniper Research reckoning it could cost the global economy $2trn by 2020. That’s not even the highest forecast – analysts at Bank of America Merrill Lynch (BoAML) put the costs at a staggering $3trn.
Companies are waking up to the threat of cybercrime
The only silver lining to all this is that the publicity surrounding various high-profile security breaches means that most companies have now “woken up”, says Professor Rubin, who also runs a cybersecurity consultancy. Boards are now taking these threats “very seriously”, with medical firms and car manufacturers in particular throwing huge sums at the issue “as medical devices increase in their connectivity and in the amount of software they run, and as the auto industry moves towards automation and self-driving cars”.
The big tech firms are also locked in a frantic race to hire the top experts in the field. In May, Apple hired Jon Callas, one of the world’s top encryption experts, while ride-sharing firm Uber hired Miller and Valasek to research ways to prevent less scrupulous hackers from breaking into their fleet. Uber has also offered to pay bounties of up to $10,000 to hackers for each flaw that they can find in Uber’s system.
These solutions make sense for some firms. But there is a limited number of world-class experts to go round, and most firms have neither the expertise nor the resources to design their own solutions from the ground up. As a result, they are turning to specialist cybersecurity firms, which offer antivirus software and firewalls to obstruct hackers. The sector is already worth $75bn globally, reckons BoAML’s Sarbjit Nahal and that’s set to reach $170bn by 2020 – an annual growth rate of nearly 20%.
But there’s more to cybersecurity than just having the right protective software installed, points out James Moar of Juniper Research. Computer viruses and malware attacks now evolve at a breakneck speed.
For example, the Zeus virus, which helps hackers to steal money from bank accounts, split into 20 different versions in the space of just five years. “There is no silver bullet” – there is no single system that “will be able to stop all attacks”. Instead, companies also need to ensure that any attacks that do manage to breach their defences are detected quickly and their impact minimised. That involves becoming better at monitoring computer traffic and data in real time, making it easier to pinpoint when and where attacks are likely to take place.
Big data and artificial intelligence
This is good news for IT services and consultancy firms that are already skilled in “big data”flow analysis. In the longer run, the most routine elements of such analysis could be automated. Artificial intelligence programmes would be trained (using machine learning) to identify suspicious data patterns and respond to such threats in real time. This would also free up humans from the process of monitoring and allow them to focus on creating better strategies.
While anti-virus companies may still end up providing the overall package, they will have to partner with, or buy services from, big data specialists such as IBM. Indeed, IBM has recently unleashed its Watson artificial intelligence system (the one that made headlines in 2011 when it beat human champions at the game show Jeopardy) in the fight against cybercrime –working with eight top universities, including the Massachusetts Institute of Technology and New York University, to develop a cloud-based system that can learn to identify suspicious patterns in web traffic, and then deal with any viruses that it finds. We look at the best ways to profit from this, and other developments in the field, below.
The six best investments in cybersecurity
Cybersecurity accounts for a relatively small part of IBM’s (NYSE: IBM) business for now. However, it is working furiously to expand in the area. Applying its Watson machine-learning technology to the task of identifying and tackling security breaches is central to these efforts, as mentioned above. IBM’s consulting business also provides companies with up-to-date information on the latest cybercrime trends. While other cybersecurity companies trade at high multiples to earnings, IBM has a 2017 price/earnings (p/e) ratio of only 11.
We’ve followed Israeli cybersecurity group Check Point Software (Nasdaq: CHKP) for a while now. Since we tipped it in March 2014 (issue 681), it has risen by a respectable 20%. Yet it still offers good value – it has been buying up smaller firms to acquire new technology and remain competitive, and its dominant position in the network security market means it should benefit from further industry consolidation. While it remains a traditional firewall company, it is increasingly partnering with firms specialising in artificial intelligence (AI) and machine learning, such as Damballa. It trades on a 2017 p/e of 16.6.
The evolution of the “internet of things” – where devices are linked to each other via the internet – creates another area for hackers to disrupt. However, it is alsogood news for security firms, such as Holland’s Gemalto (Paris: GTO). Gemalto is moving aggressively and successfully away from its core business of providing ID and payments cards (such as the Oyster card) towards providing security for connected devices. It trades on a 2017 p/e of 12.2.
BT (LSE: BT/A) may seem an odd choice, given its association with low-tech landline services. Yet while the telecoms giant still gets the majority of its income from its physical network, it has been taking advantage of its technological expertise to become a leading player in cybersecurity consultancy. It already employs 2,500 staff to offer a range of digital security services, from firewalls for home users to cutting-edge systems for large corporate clients, such as banks, and plans to employ another 900 in the division.
It even offers “ethical hacking” services, where its experts try to break into a client’s network to highlight any weaknesses. It recently announced a major partnership with start-up Darktrace, which uses AI to spot breaches. It trades on a 2017 p/e of 15.
Mid-size firms increasingly worry about cybersecurity too, but lack the resources to solve the problem in-house. Sophos Group (LSE: SOPH) provides complete security systems for these companies, which it believes have been poorly served by its rivals. It trades on a pricey-looking 35 times 2018 earnings, but it’s growing fast – revenue is expected to grow by 30% over the next two years.
If you want broad exposure to the cybersecurity sector, rather than any particular firm, you could consider a themed exchange-traded fund (ETF). Last year, the first UK-listed cybersecurity ETF was launched – ETFS ISE Cyber Security GO UCITS ETF (LSE: ISPY). This ETF avoids some of the better-known large caps in favour of smaller firms that are much more tightly focused on security.
These firms, including Sophos, could benefit from an increase in merger and acquisition activity in the sector, and the ETF is a decent way to get exposure to this. The total expense ratio is 0.75% – not the cheapest ETF in the world, but reasonable, given the lack of competition and the degree of specialisation.